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(57) A system and method include means tor 
processing a cryptographic certificate adapted to pro- 
vide security functionality. A register means (244) is pro- 
vided and means (224) for adjusting the register means 
to account for services when the cryptographic certifi- 
cate is processed. The register means may be for stor-. 
ing funds. Means are provided for processing a digital 
token providing proof of postage payment and means 
are also provided for processing a cryptographic certif- 
icate adapted to provide security functionality. Funds 
stored in the register means are debited when the digital 
token is processed and when the cryptographic certifi- 
cate is processed. Processing the cryptographic certifi- 
cate may involve many functions such as providing se- 
curity services and/or certificate management functions 
(including generating and verifying cryptographic certif- 
icates) and/or key management functions and/or access 
to any needed private keys to perform security services. 
Processing the digital token may include generating the 
digital token or issuing the digital token. 
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Description 

The present invention pertains to certification of us- 
ers tor electronic commerce, and more particularly, to a 
secure user certification system for electronic com- 5 
merce that provides an accounting system for services 
provided. 

In electronic commerce various parties conduct ac- 
tivities without face to face contact. Accordingly, it be- 
comes desirable for each party to any given transaction 
to be able to determine and verify the authenticity of the 
other party to the transaction. 

Each user can authenticate messages from the oth- 
er party by the use of a certificate digitally signed by a 
trusted third party. The critical part of the user's certifi- 
cate is the user's public key. The authenticity of the cer- 
tificate can be established by verifying the digital signa- 
ture of the trusted third party. A message from the user 
can be authenticated by verifying that it has been digit- 
ally signed using the private key matching the public key 
In the certificate. 

A transaction may also require security services. 
These may include, for example, message integrity, 
message authentication, message confidentiality, and 
message non-repudiation. The meaning of the message 
integrity is, that the message has not been altered. Mes- 
sage authentication is that the message is genuine and 
was signed by the other party. Message confidentiality 
Is that the message contents are available only to the 
authorized parties to the transaction and no other par- 
ties. And finally, message non-repudiation is that the in- 
itiator of the message is unable to repudiate at a later 
time that the message originated with such party. 

In a traditional paper based transaction, the above 
security services are normally implemented by means 
of signature, seals, stamps and the like. In an electronic 
commerce environment these security services are 
achieved by cryptographic techniques such as digital 
signature, hash codes, encryption algorithms, and the 
like. 

In order to effectively implement the above security 
services, a party to an electronic commerce transaction, 
must have access to a secure cryptographic device ca- 
pable of securely implementing these cryptographic 
techniques. 

it should be recognized that various protocols have 
been designed to implement the above mentioned se- 
curity sen^lces. An example of this is set forth in Section 
2.1 of the US Department of Commerce document en- 
titled Standard for Public Key Cryptographic Entity Au- 
thentication Mechanism, Draft, March 13, 1995, Federal 
Information Processing Standards Publication JJJ. Pub- 
lic key cryptography algorithms including RSA and al- 
gorithms based on Elliptic Curves are used to encrypt, 
authenticate, and verify integrity of messages. Message 
digests are generated with algorithms including MD5 
and the Secure Hash Algorithm (SHA). 

It Is known that to enable the above types of cryp- 



tographic services, a set of keys is needed. This can be 
a set of secret keys (for a secret key system) and/or pub- 
lic and private keys (for a public key system). The secret 
and private keys have to be securely communicated or 
otherwise provided to a user and thereafter protected. 

Public key cryptographic certificates, Certificate Au- 
thority and Certificate Management are also known and 
are the subject of standards. For example ANSI stand- 
ards X.509 deals with Certificate Management and X. 
9.30-3 describes Certificate Management for Digital 
Signature Algorithm. Secure cryptographic Certificate 
Management devices are known that utilize public key 
cryptography to verify certificates of public keys, and 
use the private portion of the key to authenticate docu- 
ments, transactions, and communications and perform 
other cryptographic functions. Various enterprises have 
proposed being a Certificate Authority, for example, the 
United States Postal Service has proposed entering into 
electronic commerce as a Certificate Authority based on 
Its acceptance as a trusted third party. 

The present invention provides practical means of 
implementing certification processes achieving this goat 
for a large group of users on an economical basis. 

An object of the present Invention is to provide a 
convenient payment system for use in electronic com- 
merce. 

Another object of the present invention Is to provide 
a convenient key management system for use In elec- 
tronic commerce. 

Postage meters are known that use secure crypto- 
graphic means to receive funds and to provide conven- 
ient secure evidence of postage payment; however, it 
has been discovered that various postage evidencing 
devices and systems have within them the capability of 
being modified to provide a broader security device 
functionality. 

It has further been discovered that the postage ev- 
idencing devices enable a payment method for the serv- 
ices of the trusted third party. 

A further object of the present invention is to utilize 
a postage or other value evidencing device to provide 
security services. 

Still a further object of the present invention is to 
enable security services such as authentication, data in- 
tegrity and confidentiality by utilizing the user's private 
and/or secret keys stored and protected in the value ev- 
idencing device. 

Yet a further object of the present invention is to im- 
plement certificate management functions such as is- 
sue of certificates, certificate revocatbn and certificate 
verification within a value evidencing device. 

An additional object of the present invention is to 
enable a payment system for the certificate manage- 
ment services provided by the trusted third party. 

Yet an additional object of the present invention is 
to provide for inspection aimed at detection of key com- 
promise carried out by tampering with a value evidenc- 
ing device. 
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A system and method embodying the present in- 
vention include means for processing a cryptographic 
certificate adapted to provide security functionality. A 
register means is provided and means, connected to the 
register means and the processing means, for adjusting 
the register means to account for services when the 
cryptographic certificate is processed and/or when other 
security services are performed. 

In accordance with another aspect of the present 
Invention a system and method include a register means 
for storing funds. Means are provided for processing a 
digital token adapted to be imprinted on a mail piece as 
a proof of postage payment and means are also provid- 
ed for processing a cryptographic certificate adapted to 
provide security functionality. Means are provided which 
are operatively connected to the register means and to 
both the digital token processing means and the certifi- 
cate processing means, to debit funds stored in the reg- 
ister means when the digital token is processed and 
when the cryptographic certificate is processed. 

Reference is now made to the following Figures 
wherein like reference numerals designate similar ele- 
ments in the various views and in which: 

FIGURE 1 is a public key certificate and private key 
helpful to an understanding of the present invention; 

FIGURE 2 is a value metering system, here a post- 
age metering and certificate metering system em- 
bodying the present invention; processing a crypto- 
graphic certificate includes the above mentioned 
certificate management functionsand use of the pri- 
vate key to perform security services; 

Fl GURE 3 is a flow chart of the generation of a cryp- 
tographic postmark which may be associated with 
a message to be communicated by the system 
shown in FIGURE 2. 

FIGURE 3A is a flow chart of the generation of a 
cryptographic postmark by an agent employing the 
system as shown in FIGURE 2; 

FIGURE 4 is a flow chart of the validation of a cryp- 
tographic postnnark as carried out by the system 
shown in FIGURE 2; 

FIGURE 5 is a flow chart of the generation and in- 
stallation of a certificate in the system shown In FIG- 
URE 2; 

FIGURE 6 is a flow chart of a process for revoking 
a certificate generated in accordance with the proc- 
ess shown in FIGURE 5; 

Fl GURES 7A and 7B are examples of various types 
of certificates which may be issued by the system 
shown in FIGURE 2; 



FIGURE 8 is a flow chart of the process for receiving 
a line of credit by the system shown in FIGURE 2; 
and, 

s FIGURE 9 is a flow chart of payment from the line 
of credit implemented by the operation shown in 
FIGURE 8. 

A postage and certificate meter provides certificate 
management sen^ices including use of cryptographical- 
ly secured certificates issued by a certificate authority 
As more transactions are occurring electronically, rather 
than by physical mail, between parties who do not meet 
each other personally, a trusted third party is needed. 
Postal services have an Infrastructure, governmental 
authority, and responsibility for universal access that 
makes them a natural choice for a certificate authority 
although other third parties may also provide services 
and be a certificate authority. The present system pro- 
vides significant advantage, because the postage and 
certificate meter is a secure, inspected cryptographic 
device that the postal service has licensed an authenti- 
cated entity to use. The device extends the use of the 
postage meter to electronic commerce applications 
without duplicating expensive infrastructure. Small 
charges for processing certificates including issuing cer- 
tificates and for processing such as generating and ver- 
ifying electronic certificates also referred to as electronic 
postmarks can be paid using funds stored in the meter. 

A postage and certificate meter combines the func- 
tionality of a postage meter and a certificate manage- 
ment device, providing significant advantage to, the 
postal service (and other certification authorities) and to 
the user The postage and certificate meter is a secure 
cryptographic device with secret information that allows 
secure communication with the certificate authority such 
as a post office or other trusted third party and capability 
to use, manage and execute various security services. 
The postage and certificate meter includes metering 
and accounting capability that allows convenient low 
cost payment of charges per use of a certificate. 

Advantages to the postal service as a trusted third 
party or to any other trusted third party include: manage 
keys for fewer secure devices; increased use of existing 
meter tracking infrastructure; fewer devices to inspect; 
legal right to inspect already in place; provides secure 
communication channel between postage and certifi- 
cate meter and certificate authority; produce authenti- 
cated messages for postal service regarding the status 
and usage of the meter, thus providing additional secu- 
rity and assurance for postal funds and certificate au- 
thority payments; use of the postage and certificate me- 
ter for postage payment provides ongoing assurance to 
the certificate authority that the device is operating cor- 
rectly, and has not been abused. 

Advantages to the user include: a single secure co- 
processor to validate payment of certificate use charges 
and postage reduces the number of secure devices to 
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manage; a single account to pay for certificate usage 
and postage; postage and certificate meter can efficient- 
ly pay certificate authority charges for processing certif- 
icates including new certificates and for use of the cer- 
tificate; secure installation, storage and use of the pri- 
vate portion of the certificate; and, secure revocation of 
certificates. 

Reference is now made to FIGURE 1. A certificate 
102 is a file of data containing certain information which 
provides a secure user certification useful in electronic 
commerce. The certificate 102, which may be an elec- 
tronic file or a tangible file such as a printed document 
or smart card or the like, enables a certificate holder to 
engage in various commercial and other activities which 
require services of authentication, privacy, data integrity 
and non-repudiation. The certificate 102 includes an 
identification of the certificate holder and the certificate 
holder's public key, signed with the private key of the 
certification authority, usually a trusted third party. 

The certificate data may include, for example, the 
unique name of the user, a serial number or certificate 
number, that is. a unique number associated with the 
certificate, the public key of the user, the identity of the 
certificate authority or issuer, the validity dates for the 
certificate and the authorized use of the certificate. The 
private portion of the user's key shown at 118 is main- 
tained and protected by the postage and certificate me- 
ter for the user. It is understood that the user's private 
key Is the private key matching the certificate's public 
key When user wants to send a message, the message 
is signed with the user's private key. The recipient of the 
signed message verifies the authenticity of the sender's 
certificate using the certificate authority's public key, and 
subsequently verifies the authenticity of the message 
using the sender's public key which nnay be obtained 
from the certificate. 

Reference is now made to FIGURE 2. A value and 
certificate metering system shown generally at 202 in- 
cludes a personal computer 204 having a monitor 206, 
a keyboard 208, and is connected to a printer 210. The 
personal computer 204 additionally includes a process- 
ing subsystem 212 having an associated memory 214. 
The processor is connected to a communications port 
216 for communication with a secure postage and cer- 
tificate meter subsystem 218 and a modem 220 for com- 
municating with a remote facility 222. It should be rec- 
ognized that many variations in the organization and 
structure of the personal computer 204 as well as the 
postage metering and certificate metering subsystem 
218 can be implemented. As an example, the commu- 
nications from the modem to the remote facility can be 
by way of hardwire or can be by way of radio frequency 
communications or other communications. The postage 
and certificate metering subsystem take nnany forms, for 
example it may be a secure vault type system, or a se- 
cure smart card system. 

The postage portion of the postage and certificate 
meter 218, for example, may be similartoany of numer- 



ous postage metering systems as for example the sys- 
tems shown in postage metering systems which gener- 
ate and employ digital tokens are described in U.S. Pat- 
ent No. 4,757,537 for SYSTEM FOR DETECTING UN- 
5 ACCOUNTED FOR PRINTING IN A VALUE PRINTING 
SYSTEM, issued July 12, 1988; U.S. Patent No. 
4,831,555 for SECURE POSTAGE APPLYING SYS- 
TEM, issued May 15. 1989; U.S. Patent No. 4,775,246 
for SYSTEM FOR DETECTING UNACCOUNTED FOR 
PRINTING IN A VALUE PRINTING SYSTEM, issued 
October 4, 1988; U.S. Patent No. 4.873.645 for SE- 
CURE POSTAGE DISPENSING SYSTEM issued Octo- 
ber 10, 1989 and, U.S. Patent No. 4,725.71 8 for POST- 
AGE AND MAILING INFORMATION APPLYING SYS- 
TEMS, issued February 16, 1988. These systems, 
which may utilize a device termed a postage evidencing 
device (PED), empby an encryption algorithm which is 
utilized to encrypt selected information to generate the 
digital token. The encryption of the information provides 
security to prevent altering of the printed information in 
a manner such that any change in a postal revenue 
block is detectable by appropriate verification proce- 
dures. Moreover the system for the cryptographic capa- 
bility may employ systems and methods such as those 
disclosed In pending European Patent Application Seri- 
al No. 96105237.0 filed April 1, 1996, for CRYPTO- 
GRAPHIC KEY MANAGEMENT AND VALIDATING 
SYSTEM, which is assigned to Pitney Bowes, Inc., the 
entire disclosure of which is hereby Incorporated by ref- 
erence. 

The postage and certificate meter subsystem 218 
includes a processor 224 coupled to a memory 226. The 
processor has associated with it an encryption engine 
228, a hash function processor 230, a secure clock 232 
and a communications port 234. A key generator 235 is 
also provided for generating keys for use by the postage 
and certificate mailer. If desired, either a secure printer 
or a non-secure printer may be connected to the post- 
age and certificate meter subsystem 218, if a printing 
capability is desired. In the FIGURE 2, a secure printer 
is shown at 236. The memory 226 may have stored with- 
in it different data as well as the operating program for 
the postage and certificate meter subsystem 218. The 
data shown as stored in the memory include the postage 
meter serial number 238. postal keys 240. postage 
piece count 242, postage ascending/descending regis- 
ter 244. If the meter was a current account meter unit 
such as employed in certain European countries, the as- 
cending/descending register would be only an ascend- 
ing register. Current account systems may be employed 
in the present system. 

Additionally stored within the postage and certifi- 
cate meter 21 8 memory 226 are user's private key 246, 
certificate piece count 248, and certificate ascending/ 
descending register 250. This register may be combined 
with the postage ascending/descending register. Other 
certificate data shown generally at 252 may also be 
stored in the memory as well as a certificate communi- 
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cations key 256. A Table of Services Rates is provided 
at 257. This table includes the rates for the various serv- 
ices that may be obtained when processing a crypto- 
graphic certificate and/or when processing a digital to- 
ken. The rating system for the postage and certificate 
meter 218 may implement the system disclosed in U.S. 
Patent No. 5,448,641 issued September 5, 1995 for 
POSTAGE RATING SYSTEM WITH VERIFIABLE IN- 
TEGRITY, the entire disclosure of which is hereby incor- 
porated by reference. As is shown by memory area 254, 
more than one certificate may be stored in the memory 
226. 

It should specifically be noted that processing a 
cryptographic certificate may involve security services 
and/or certificate management functions including gen- 
erating and verifying cryptographic certificates and/or 
key management functions and/or access to any need- 
ed private keys to perform security services. 

Reference is now made to FIGURE 3 depicting the 
generation of a cryptographic postmark. A cryptograph- 
ic postmark is a datafile which may contain message 
digest, date, time and other data which may be required 
to provide security services. A message is generated at 
302. The message may be generated in the computer 
204 or elsewhere depending upon the particular needs 
of the user. A message digest is obtained at 304 em- 
ploying the hash function processor 230 of the postage 
and certificate meter subsystem 218. The postmark 
content is assembled at 306. Postmark content as was 
previously noted may include the message digest, a 
date time stamp from the secure clock 232, a serial 
number, and any other desirable data as an option. A 
determination is made at 308 if sufficient funds exist in 
the postage and certificate meter subsystem 21 8 to pro- 
ceed with the generation of the cryptographic postmark. 
It should be recognized that these funds may be stored 
in the descending certificate register, the descending 
postal register or other registers within the subsystem 
containing an indication of available funds of the user or 
party paying for the postmark. If sufficient funds are not 
available, the request for postmark generation is reject- 
ed at 31 0. If, on the other hand, sufficient funds are avail- 
able, the funds are deducted for the signing of the as- 
sembled postmark content at 31 2. The postmark con- 
tent is then signed at 314 to produce a postmark and 
the message, postmark and certificate are sent to the 
desired location at 316. This may be a remote facility 
where it is first communicated through the communica- 
tions port 234 to the personal computer communication 
port 216 and thereafter via the processor 212 and mo- 
dem 220 to the remote facility. Alternatively, the secure 
(or non-secure) printer of the postage and certificate 
meter sub unit 218 may print a hard copy of the mes- 
sage, postmark and certificate. This also may be printed 
on printer210of the personal computer. Additionally, the 
message, postmark and certificate may also be stored 
in memory 214 of the personal computer 204 and/or 
memory 226 of the postage and certificate meter 218. 



Reference is now made to Figure 3A, a user of the 
postage certificate meter 218 can act as a certificate 
agent. For example, a business may wish to issue cer- 
tificates for their employees. The postage and certificate 
5 meter 218 can provide a tool to securely generate the 
public and private keys. The postage and certificate me- 
ter 218 private key can be employed to sign the certifi- 
cate. Another party who receives the certificate has as- 
surance that the certificate was generated under the au- 
thority of the postage certificate meter 218 issued to that 
business. 

The agent sends a request for a certificate to the 
agent's certificate meter at 350. The request may in- 
clude any data typically included In a certificate including 
expiration date, issuing authority, purposes the certifi- 
cate is authorized for, the unique name of the party the 
certificate is issue for, and any other data describing al- 
lowed or limited uses of the certificate. The certificate 
meter generates a public and private key pair at 351. 
The process of generating the key pair is secured in the 
certificate meter in the key generator of the postage and 
certificate meter 218. At 354 the private key is sent to 
the receiver The private key must be securely commu- 
nicated to the receiver, for example it may be encrypted, 
or security measures may be taken to provide assur- 
ance that the key is not intercepted. The postage and 
certificate meter 218 assembles the certificate data at 
356. At 358 the certificate meter 218 determines the 
charge for signing the certificate, and if a determination 
is made that there is not sufficient funds to pay for sign- 
ing the certificate data with the agent's certificate meter 
private key. then the request is rejected at 360. If a de- 
termination is made at 358 that there is sufficient funds 
then funds for signing are deducted at 362 and the cer- 
tificate is signed at 364 and the certificate sent to the 
receiver at 366. 

Reference is now made to Figure 4 showing the val- 
idation of a cryptographic postmark. A request for vali- 
dation of the postmark is initiated at 402. A determina- 
tion is made at 404 if sufficient funds are available within 
the postage and certificate meter subsystem 218. If suf- 
ficient funds are not available the request is rejected at 
406. If sufficient funds are available the requester utiliz- 
es the certificate authority's public key to verify the sig- 
nature of the certificate at 408 and accounts for it. If the 
signature is determined not to be valid at 410, the cer- 
tificate is rejected at 41 2. If the signature is determined 
to be valid at 410, a message digest is generated and 
compared with the decrypted postmark at 414. A deter- 
mination is made at 41 6 if the generated message digest 
and the message digest in the decrypted postmark 
match. If they do not match the postmark is rejected at 
418. If, on the other hand, they do match, the postmark 
is reported as valid at 420. 

Reference is now made to FIGURE 5. A request for 
installation of the certificate is initiated at 502. A deter- 
mination is made at 504 if sufficient funds are available 
in the postage and certificate meter subsystem 218 to 
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cover the charges associated with processing the re- 
quest. If sufficient funds are not available the request is 
rejected at 506. If sufficient funds are available the post- 
age and certificate meter communication key is re- 
trieved at 508. The postage and certificate meter there- 
after generates a public and private key pair at 510. 
Thus, the secure postage and certificate meter subsys- 
tem 21B securely generates the private key at 510. 
Thus, the private key is never available outside of the 
secure housing of the postage and certificate meter sub- 
system 21 a. In this preferred embodiment the private 
key is not known to anyone, including the certificate 
owner, therefore the postage and certificate meter can 
enforce charges for any use of the private key. 

If less security is required and depending upon the 
configuration and needs of the system, the system can 
be modified such that the user can enter the private key 
into the postage and certificate meter subsystem 218. 
The certificate request is communicated to the certifi- 
cate authority using the certificate communication key 
at 512. This key is shown at 256 in FIGURE 2. 

A determination is made at 514 to whether the user 
identification has been verified. If the verification fails, 
the request is rejected at 516. If the identity is verified 
the certificate generated by certification is received from 
the authority at 518. Thereafter, the certificate is in- 
stalled in the postage and certificate meter subsystem 
218 via the personal computer modem 220 and proces- 
sor 212 and communication port 216 to the communi- 
cation port 234 of the postage and certificate meter sub- 
system 21 8. Additionally at 520 the funds are deducted 
from the postage and certificate meter for the generation 
and the requested certificate which activates user's pri- 
vate key. 

Reference is now made to FIGURE 6 showing the 
process for revoking an issued certificate. This may oc- 
cur, for example, where an individual believes that his 
or her private key has been compromised or as a matter 
of routine security where private keys are periodically 
updated and the like. Also, such revocation can occur 
when the authorization conditions can no longer be ob- 
tained and the certificate should, accordingly, be re- 
voked. A request to the certificate authority to revoke a 
certificate is signed at 602. A verification of the request 
signature is made at 604. If the verification fails, the rev- 
ocation request is rejected at 606. If the signature is ver- 
ified, a signed message is issued to the postage and 
certificate meter subsystem 218 to revoke the certificate 
in question at 608. The postage and certificate meter 
subsystem 218 checks the signature on the revocation 
response at 610. If the signature fails to be verified at 
612. the response issuing the signed message is reject- 
ed at 614. If on the other hand, the signature is verified, 
the postage and certificate meter revokes the certificate 
at 616. A determination is then made if sufficient funds 
are available at 618. If sufficient funds are not available 
a signed confinnation of the revocation and payment 
due is issued at 620. Thereafter, the revocation time and 



reason in the certification authority database is entered 
at 622. Further procedures, not shown may be taken to 
ensure payment due is in fact received. The handling of 
debiting the registers for certificate revocation will de- 
s pend on the nature of the system and certificate involved 
and this may even be included as part of the certificate 
itself. 

If at 618 sufficient funds are available, the signed 
confirmation of revocation and payment is issued at 624. 
10 This is entered into the certificate authority database at 
622. 

The process described in FIGURE 6 nnay be adapt- 
ed for a forced revocation of due certificate, for a exam- 
ple by the certification authority or its agent . In this case, 
^5 at the contract with the certification authority or during 
inspection process due revocation starts at 608. The 
payment at 624 can be disabled. If no contact is made 
the certificate meter will either run out of money or timed 
out after a prespecified time period. 

Reference is now made to FIGURE 7A. A line of 
credit certificate 702 is shown as an example of one type 
of credit certificate. This certificate similar to the certifi- 
cate shown in FIGURE 1 includes the name of the indi- 
vidual receiving credit at 704. the serial number or 
unique identifier of the certificate at 706 and the public 
key of the creditor (person receiving credit) may prefer- 
ably be included at 708. The credit issuer identification 
may be included at 71 0 as well as the credit line amount 
at 712, the validity dates at 714 and the authorized use 
at 71 6. Also included in the certificate is the credit issuer 
signature 718. The creditor private key is shown at 720 
and is securely maintained by the creditor. 

It should be noted that the name at 704 as well as 
the name in various other certificates shown in the 
present applicatbn is in fact a unique identifier and may 
be a number or other identifying data of the certificate 
holder. 

Reference is now made to FIGURE 7B which is an- 
other example of a certificate, here a payment certificate 
which is related to the line of credit certificate shown in 
7A. The certificate shown generally at 722 may include 
the name of the certificate holder at 724, unique identi- 
fication or serial number at 726, meter identification at 
728, digest of line of credit certificate at 730, amount 
authorized at 731. credit remaining at 732 and, finally, 
the postage and certificate meter signature at 734. The 
user private key associated with the signature is shown 
at 736 and is treated as confidential and protected in- 
formation. 

Reference is now made to FIGURE 8 showing the 
process for receiving a line of credit. The request for 
credit with postage and certificate meter postmark is In- 
itiated at 802. The creditor determines whether to issue 
credit at 804. If the credit check fails, the creditor rejects 
the request at 806. If the credit check passes, the cred- 
itor generates the line of credit certificate at 808. The 
line of credit is received by the requester at 810 and an 
initial payment certificate with credit remaining equal to 
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the full line of credit can be created at 812. This certifi- 
cate is stored in the postage and certificate meter sub- 
system 216 memory 226. 

Reference is now made to FIGURE 9 showing pay- 
ment from a issued line of credit. A request for payment s 
from the line of credit is initiated at 902. This request 
may be initiated by the user of the postage and certifi- 
cate meter 218 as part of a transaction purchasing 
goods or services. If sufficient funds are determined to 
be not available at 904 the request is rejected at 906. If, io 
on the other hand, sufficient funds are determined to be 
available at 904, the payment amount is subtracted from 
the credit remaining at 908 and a payment certificate is 
created at 910. In this manner a payment certificate is 
created and provided to the merchant evidencing the ^5 
availability of funds to pay for the transaction and ena- 
bles the merchant who receives and authenticates the 
payment certificate to receive funds from the requester's 
bank. The merchant delivers the merchandise and 
sends a copy of the payment certificate to the party who 
provided the credit to the user of the postage and cer- 
tificate meter subsystem 218. This is evidence of au- 
thorization by the user and authorizes the issuer of credit 
to pay the merchant. This constitutes the proof of re- 
quest of payment and constitutes an authorization by 25 
the user to have payment issued to the merchant. While 
the present invention has been disclosed and described 
with reference to the disclosed embodiments thereof, it 
will be apparent, as noted above, that variations and 
modifications may be made. 30 

It should be recognized that the present invention 
provides a mechanism for the active forceful revocation 
of the certificate itself so that the certificate holder can- 
not reuse the certificate. This is for several reasons. The 
funding registers periodically must be serviced. For as- 3S 
cending/descending register systems, the recharging 
process where funds are added require communica- 
tions with the trusted third party at which time the revo- 
cation can be implemented Moreover, as noted above, 
in certain countries meters are leased and owned by the 
manufacturer thereby giving legal access to the meter. 
For current account systems, failure to sen^ice the meter 
can cause the meter to lock up. \ferious lock ups and 
time outs can also be included in the meter to preclude 
further operation of the system. Additionally, by virtue of 45 
the utilization of the postage or value metering including 
postage metering devices, inherent advantages in the 
postage metering system such as inspections, security, 
trusted third party (postal authority) become available to 
utilize for enhanced security. so 

While the present invention has been disclosed and 
described with reference to the disclosed embodiments 
thereof, it will be apparent that many various and mod- 
ifications may be made. For example when a user needs 
to verify a certificate obtained from another party, the S5 
user needs to have access to the public key of the trust- 
ed third party certification authority that signed the cer- 
tificate in question. This can be done by storing the cer- 



tification authority's public key in the postage and certif- 
icate meter and updating this key when needed by using 
communication parts 234 and 21 6 (Fig. 2) or by entering 
this key manually via personal computer 204. As anoth- 
er example, the postage meter and certificate meter 
subsystem may be implemented as a smart card or as 
a computer card peripheral or internal circuit board or 
as a computer PCf\/ICIA card, also known as PC card. 
Thus, it is intended in the following claims to cover each 
variation and modification that falls within the true spirit 
and scope of the present invention. 



Claims 

1 . A system, comprising: 

register means; 

means for processing a cryptographic certifi- 
cate adapted to provide security functionality; 
and, 

means operatlvely connected to said register 
means and said processing means for adjust- 
ing said register means to account for services 
when said cryptographic certificate is proc- 
essed. 

2. A system as defined in CLAIM 1 wherein said reg- 
ister means have funds stored therein and said 
means for adjusting debits funds stored in said reg- 
ister means when said cryptographic certificate is 
processed. 

3. A system as defined in CLAIM 1 or 2 further com- 
prising means for inhibiting processing of said cryp- 
tographic certificate when funds stored in said reg- 
ister means are below a predetermined amount as- 
sociated with processing said cryptographic certifi- 
cate. 

4. A system as defined in any preceding CLAI M further 
comprising a secure housing, said means for 
processing a certificate are mounted within said se- 
cure housing. 

5. A system defined in any preceding CLAIM wherein 
said means for processing a cryptographic certifi- 
cate has cryptographic key means. 

6. A system as defined in CLAIM 5 wherein said cryp- 
tographic key means includes a private key for use 
in a public key system. 

7. A system as defined in CLAI M 6 wherein said cryp- 
tographic key means further includes a public key 
associated with said private key, said public key be- 
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ing signed with the private key of a certification au- 
thority and said public key being available to a user 
of the system. 

8. A system as defined in any one of claims 5 to 7, 
further comprising communications means coupled 
to said means for processing a cryptographic cer- 
tificate for providing means for communicatin g cryp- 
tographic key information for storage in said cryp- 
tographic key means. 

9. A system as defined in CLAIM 8 wherein said 
means for communicating is mounted within said 
secure housing and provides a communication path 
from outside said secure housing to within said se- 
cure housing. 

10. A system as defined in CLAIM 8 or 9 further com- 
prising an input means coupled to said communica- 
tions means for inputting data into said system. 

11. Asystem as defined in CLAIM 10 wherein said input 
means is a personal computer means, said person- 
al computer means including modem means for en- 
abling communications with a remote location and 
enabling communications from said remote location 
to said communications means for entering data in- 
to said system from said remote location. 

12. A system as defined in any preceding CLAIM 
wherein said means for processing a cryptographic 
certificate includes means for generating a crypto- 
graphic certificate. 

13. A system as defined in any preceding CLAIM where 
said means for processing of a cryptographic cer- 
tificate includes means for verifying a cryptographic 
certificate. 

14. A system as defined in any preceding CLAIM 
wherein said means for processing cryptographic 
certificates includes key generator means. 

15. A system as defined in any preceding CLAIM further 
including recharging means coupled to said register 
means to enable funds stored in said register 
means to be remotely recharged with additional 
funds. 

16. A system as defined in any preceding CLAIM 
wherein said adjusting means includes a table of 
charges for a plurality of services capable of being 
provided when said cryptographic certificate is 
processed. 

17. A system, comprising: 

register means for storing funds; 
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means for processing a digital token providing 
proof of postage payment; 

means for processing a cryptographic certifi- 
5 cate adapted to provide security functionality; 

and, 

means, operatively connected to said register 
means and to said means for processing a dig- 
^0 ital tokens and to said means for processing a 

certificate, for debiting funds stored in said reg- 
ister means when said digital token is proc- 
essed and when said cryptographic certificate 
is processed. 

15 

1 8. A system as defined in CLAI M 1 7 further comprising 
means operatively connected to said register 
means for inhibiting the processing of said digital 
token when the funds stored in said register means 

20 are below a predetermined amount associated with 
processing of said digital token and for inhibiting 
processing of said cryptographic certificate when 
the funds stored in said register means are below a 
predetermined amount associated with processing 
25 said cryptographic certificate. 

19. A system defined in CLAIM 17 or 18 wherein said 
means for processing a digital token has first cryp- 
tographic key means and said means for process- 

30 ing a cryptographic certificate has second crypto- 
graphic key means. 

20. A system as defined in any one of claims 17 to 19 
further comprising a secure housing, said means for 

35 processing a digital token and said means for 
processing a cryptographic certificate mounted 
within said secure housing. 

21. A system as defined in any one of claims 17 to 20 
40 wherein said first cryptographic key means includes 

a secret key for use in secret key encryption system 
and said second cryptographic key means includes 
a private key for use in a public key encryption sys- 
tem. 

45 

22. A system as defined in CLAIM 21 wherein said sec- 
ond cryptographic key means further includes a 
public key associated with said private key, said 
public key being signed with the private key of a cer- 

50 tification authority. 

23. A system as defined in CLAIM 22 as dependent on 
claim 19 further comprising communications means 
coupled to said means for processing a digital token 

55 and said means for processing a cryptographic cer- 
tificate for providing a communications path for 
communicating cryptographic key information for 
storage in said first cryptographic key means and in 
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said second cryptographic key means. 

24. A system as defined in CLAIM 23 as dependent on 
claim 20 wherein said means for communicating is 
mounted within said secure housing and said com- 
munication path enables communications from out- 
side said secure housing to within said secure hous- 
ing. 

25. A system as defined in CLAI M 24further comprising 
an input means coupled to said communications 
means for inputting data into said system. 

26. A system as defined in CLAI M 25 wherein said input 
means is a personal computer means, said person- 
al computer means including modem means for en- 
abling communications with a remote location and 
enabling communications from said renriote location 
to said communications means for enteririg data in- 
to said system from said remote location. 

27. Asystemasdefinedinanyofclaims 17to 26 where- 
in said means for processing a cryptographic certif- 
icate includes generating said cryptographic certif- 
icate. 

28. A system as defined in any of claims 1 7 to 27 where 
said processing of said cryptographic certificate 
comprises verifying said cryptographic certificate. 

29. A system defined in any one of claims 17 to 28 fur- 
ther comprising a plurality of further means for 
processing cryptographic certificates. 

30. A system as defined in any one of claims 17 to 29 
further including recharging means coupled to said 
register means to enable funds stored in said reg- 
ister means to be remotely recharged with addition- 
al funds. 

31. A system as defined in any one of claims 17 to 30 
wherein said means for processing a digital token 
includes generating said digital token. 

32. A system, comprising: 

register means; 



adjusting said register means to account for 
sen/ices when said cryptographic certificate is 
processed and when said digital token is proc- 
essed. 

5 

33. A method for use in a system having a register 
means, comprising: 

processing a cryptographic certificate adapted 
^0 to provide security functionality; and, 

adjusting said register means to account for 
services when said cryptographic certificate is 
processed. 

15 

34. A method for use in a system having register means 
for storing funds, comprising: 

processing a digital token providing proof of 
20 postage payment; 

processing a cryptographic certificate adapted 
to provide security functionality; and, 

25 debiting funds stored in said register means 

when said digital token is processed and when 
said cryptographic certificate is processed. 



35 



40 



means for processing a digital token providing 
proof of postage payment; so 

means for processing a cryptographic certifi- 
cate adapted to provide security functionality; 
and. 

S5 

means, operatively connected to said means 
for processing a digital token and to said means 
for processing a cryptographic certificate, for 
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